WannaCry ‘hero’ Marcus Hutchins admits he wrote banking malware

FILE – In this Monday, May 15, 2017, file photo, British IT expert Marcus Hutchins speaks during an interview in Ilfracombe, England. Hutchins, a young British researcher credited with derailing a global cyberattack in May, has been arrested for allegedly creating and distributing banking malware, U.S. authorities say. Hutchins was detained in Las Vegas on Wednesday, Aug. 2, 2017, while flying back to Britain from Defcon, an annual gathering of hackers of IT security gurus. A grand jury indictment charges Hutchins with “creating and distributing” malware known as the Kronos banking Trojan. (AP Photo/Frank Augstein, File) Photo Credit: AP

Friday 4 August 2017 21.09 EDT — First published on Friday 4 August 2017 20.32 EDT

The British security researcher who stopped a global ransomware attack admitted to police that he wrote the code of a malware that targeted bank accounts, US prosecutors said during a hearing on Friday, but his attorneys said that he planned to plead not guilty.

Marcus Hutchins, the 23-year-old hailed as a hero for stopping the WannaCry ransomware attack, is accused of helping to create, spread and maintain the banking trojan Kronos between 2014 and 2015 and is facing six counts of hacking-related charges from the US Department of Justice (DoJ), according to a recently unsealed indictment.

A judge ruled on Friday that Hutchins – who had been in Las Vegas for the annual Def Con hacking conference – could be released on $30,000 bail. The judge said the defendant was not a danger to the community nor a flight risk and ordered him to remain in the US with GPS monitoring.

Dan Cowhig, the prosecutor, argued in federal court that Hutchins should not be freed because he is a “danger to the public”, adding: “He admitted he was the author of the code of Kronos malware and indicated he sold it.”

As part of a sting operation, undercover officers had bought the code from Hutchins and his co-defendant, who is still at large, Cowhig said in court. The prosecutor said there is also evidence from chat logs between Hutchins and the co-defendant, revealing that Hutchins complained about the money he received for the sale.

She added: “He has dedicated his life to researching malware, not to trying to harm people.”

The attorney also told reporters that Hutchins’ supporters were raising money for his bond and that he should be released on Monday.

“He has tremendous community support, local and abroad and in the computer world.”

She declined to comment on the specifics of the charges, but said he was “completely shocked” by the indictment and that he was “in good spirits”.

The DoJ charges relate to the Kronos malware, which is a type of malicious software used to steal people’s credentials, such as internet banking passwords.

According to the indictment, Hutchins’ co-defendant advertised the malware for sale on AlphaBay, a darknet marketplace, and sold it two months later. The indictment did not make clear if the malware was actually sold through AlphaBay.

US and European police eventually seized servers for the marketplace, which was shut down on 20 July.

Hutchins, known on Twitter as @MalwareTechBlog, gained a reputation as an “accidental hero” in May for halting the global spread of the WannaCry ransomware attack. WannaCry infected hundreds of thousands of computers worldwide in less than a day, encrypting their hard drives and asking for a ransom of $300 in bitcoin to unlock the files. The cyberattack wreaked havoc on organisations including the UK’s National Health Service, FedEx and Telefónica.

The cybersecurity researcher, working with Darien Huss from security firm Proofpoint, found and inadvertently activated a “kill switch” in the malicious software.

The kill switch was hardcoded into the malware in case the creator wanted to stop it spreading. This involved a very long nonsensical domain name that the malware makes a request to – just as if it was looking up any website – and if the request comes back and shows that the domain is live, the kill switch takes effect and the malware stops spreading.

The British security expert hailed a hero for helping shut down a global cyber attack admitted in a police interview he created a code which harvests bank details and “indicated” that he sold it, a prosecutor told his US court hearing.

But Marcus Hutchins, from Ilfracombe, Devon, plans to plead not guilty to all six counts of creating and distributing the Kronos malware, his lawyer said after his hearing in Las Vegas on Friday.

The 23-year-old, who found a “kill-switch” that derailed the attack that crippled the NHS in May, was granted bail under strict conditions that he pay 30,000 dollars (£23,000) and remain in the US.

Dan Cowhig, prosecuting, told the federal court Hutchins should not be freed because he is a “danger to the public”.

“He admitted he was the author of the code of Kronos malware and indicated he sold it,” Mr Cowhig said.

Hutchins and his unnamed co-defendant, who is still at large, were caught in a sting operation when undercover officers brought the code, the prosecutor added.

Other evidence comes from chat logs between him and a co-defendant during which Hutchins complains about the money he received for the sale, Mr Cowhig said.

After the hearing, Hutchins’ lawyer Adrian Lobo denied he is the author and said he would be pleading not guilty to all of the charges, which date between July 2014 and July 2015.

She said: “He fights the charges and we intend to fight the case.

“He has dedicated his life to researching malware, not trying to harm people. Use the internet for good is what he has done.”

Hutchins spoke softly as he answered procedural questions and confirmed his identity while wearing a prison-issued yellow jumpsuit with “detainee” stamped on the back, and bright orange Crocs shoes.

District judge Nancy Koppe ordered his release on bail considering he has no criminal history and because the allegations date back to two years ago.

Marcus HutchinsCREDIT: FRANK AUGSTEIN/AP

He cannot access the internet, must be monitored by GPS, surrender his passport and only reside in Clark County, Nevada, and within the Eastern District of Wisconsin where he will appear in court on Tuesday.

At that hearing he is expected to formally enter his pleas.

Hutchins, also known as MalwareTech, was indicted alongside an unidentified co-defendant by a grand jury over allegations unrelated to his work halting the attack by the WannaCry ransomware that hit more than 300,000 computers in 150 countries.

The indictment claims Hutchins created the malware that can side-step anti-virus software to steal banking usernames and passwords before conspiring with the co-defendant to sell it on internet forums.

Prosecutors claim the co-defendant successfully sold the software for 2,000 dollars (£1,522) in digital currency in June 2015.

Janet Hutchins, the researcher’s mother, has said it is “hugely unlikely” he is involved because he has dedicated “enormous amounts of time and even his free time” combating such software.

The FBI arrested on Hutchins at McCarran International Airport where he was trying to fly back to Briton from the Def Con hacking conference, a friend said.

Hutchins, who works for Los Angeles-based computer security firm Kryptos Logic, was expected to be released later on Friday.